Oracle chief criticises Amazon’s cloud security amid row over defence contract

Amazon AWS Security

Amazon Web Services is one of the most popular cloud platforms, but Larry Ellison, Oracle’s executive chairman, has spoken out, criticising Amazon’s security.

Speaking at Oracle’s annual user conference in San Francisco earlier this month, Ellison was scathing about Amazon’s security measures as well as taking a swipe at Google and Facebook over their recent data breach issues.

Pay-as-you-cloud

Ellison’s comments were largely aimed at the pay-as-you-go nature of cloud computing, where infrastructure is rented to customers. The popularity of the cloud is largely due to virtualisation, a technology which allows providers to split their client’s data across multiple servers so that some machines may be holding data from multiple companies. This allows the service provider to extract greater performance from its machines.

Although virtualisation should ensure that data from different companies remains separate – even though it’s sitting on the same system – Ellison contends that there are risks in the way Amazon does this. Because the control code that runs AWS sits on the same machines as the data, he believes that it could be possible for hackers to change the code and thus gain access to data from other businesses.

In his speech to the conference, he said that this is, “a fundamental problem with the architecture of the cloud.” He went on to say that Oracle would never put control code and customer data on the same machine in this way.

Theoretical threat

It should be pointed out, however, that the threat Ellison outlined is – at the moment – purely theoretical. To date, no one has actually carried out such an attack. All cloud computing providers are keen to stress that their security arrangements are superior to their competitors.

Recent high profile breaches at major companies have naturally brought information security into the public consciousness, as has new legislation such as GDPR which means breaches must be reported on a strict timescale.

Major contracts

Amazon remains a major player in the cloud computing space, with the technology and retail giant accounting for more than 50 percent of the global market. It’s also seen as a front-runner for the US government’s Joint Enterprise Defense Infrastructure (JEDI) contract, which could be worth around $10 billion over the next decade. JEDI is intended to store classified data and help enable new weaponry.

Oracle, another bidder for the contract, has raised concerns that if the JEDI contract is awarded to a single vendor it could lock the government into legacy technology and run counter to it’s commitment to competition and innovation.

Other companies, including IBM and Microsoft, have also criticised the government’s decision to award JEDI to a single provider. IBM sees it as being against the White House’s ‘Cloud Smart’ policy which is aimed at ensuring the best options from both government and commercial companies are used. There are also concerns that having just one provider will offer adversaries a single target to aim at, introducing greater risk.

The business that wins the contract will not only get substantial government funding but will also be well placed when it comes to getting other government business in the future. Google has already announced that it doesn’t intend to bid for the contract.

The Pentagon has defended its decision to opt for a single provider, with a spokesperson saying, “Starting with a number of firms while at the same time trying to build out an enterprise capability just simply did not make sense.” Using more than one cloud provider is seen as adding unnecessary complexity to the process. A number of legal challenges are expected to delay the awarding of the contract.